International Association for Cryptologic Research (IACR)
Abstract
Domain-Specific Pseudonymous Signature schemes were recently proposed for privacy preserving authentication
of digital identity documents by the BSI, German Federal Office for Information
Security.
The crucial property of domain-specific pseudonymous signatures
is that a signer may derive unique pseudonyms within a so called domain.
Now, the signer\u27s true identity is hidden behind his domain pseudonyms
and these pseudonyms are unlinkable, i.e. it is infeasible to
correlate two pseudonyms from distinct domains
with the identity of a single signer.
In this paper we take a critical look at
the security definitions and constructions of domain-specific pseudonymous signatures
proposed by far.
We review two articles which propose ``sound and clean\u27\u27
security definitions and point out some issues
present in these models.
Some of the issues we present may have a strong practical
impact on constructions ``provably secure\u27\u27 in this models.
Additionally, we point out some worrisome
facts about the proposed schemes and their security analysis
